MyBB Community Forums

for example [img]http://blah.com/php.php[\img] *note the wrong slash was intentional

pretty big security issue

It's not a security issue at all. There are cases when images are served through PHP scripts.

Eg my changing avatar is a php script

It can be used maliciously, getting and logging IPs, bringing up a login dialog so phishing attempts. Alright. Give us the option to deny non-image avatars, it should be up to a forum admin not the devs.

i'm not like too when user use this trick...
check size (kb) of image becomes totally useless.
one image is small other rotate image is bigger...

(2014-08-10, 01:08 PM)Robust Wrote: [ -> ]It can be used maliciously, getting and logging IPs, bringing up a login dialog so phishing attempts. Alright. Give us the option to deny non-image avatars, it should be up to a forum admin not the devs.

The only solution there is to disable image embedding altogether. Just because a file ends with .(png|jpg|gif) doesn't make it an image, it is easy enough to rewrite it to a .php file that can do whatever logging anyway (and regardless, the web server is going to log IPs no matter what the content being served). I'm pretty sure browsers won't show login dialogs from embedded images for phishing reasons (not 100% sure on this) - and again, it doesn't need to be a .php file to prompt for HTTP login.

(2014-08-10, 01:47 PM)Cameron:D Wrote: [ -> ]a file ends with .(png|jpg|gif) doesn't make it an image

exactly...
and i hate http://signavatar.com/ or other similar services...
I think I'll probably create script to allow only imgur and some other services on my forum.

(2014-08-10, 01:47 PM)Cameron:D Wrote: [ -> ]

(2014-08-10, 01:08 PM)Robust Wrote: [ -> ]It can be used maliciously, getting and logging IPs, bringing up a login dialog so phishing attempts. Alright. Give us the option to deny non-image avatars, it should be up to a forum admin not the devs.

The only solution there is to disable image embedding altogether. Just because a file ends with .(png|jpg|gif) doesn't make it an image, it is easy enough to rewrite it to a .php file that can do whatever logging anyway (and regardless, the web server is going to log IPs no matter what the content being served). I'm pretty sure browsers won't show login dialogs from embedded images for phishing reasons (not 100% sure on this) - and again, it doesn't need to be a .php file to prompt for HTTP login.

Can't you check the type like image/png? And yeah, browsers do show it.

(2014-08-10, 04:39 PM)Robust Wrote: [ -> ]Can't you check the type like image/png? And yeah, browsers do show it.

The server can return whatever type it wishes, once the image is added the user can modify his/her server.

Forcing specific sites sounds better. Yet you will need to force it pretty much anywhere the user can put an image in..

Forcing the user to use only some sites would work but that'd really really annoying. Nearly all signature images and URL avatars point to the custom pages. Eg my point to JonesBoard and/or MyBBService...